Page 1 of 2

html into database

Posted: Thu Aug 29, 2013 8:11 am
by chris98
Hello, I am using PDO to create a download central.


I want to allow my users to post html codes into their file description.(I.e. <br>, <img>.etc)

Every time I try, it outputs the exact same code, as if it is text.For example, I might enter:

Code: Select all

<p><br><strong>test</strong> <u>test2</u></p>
The result is exactly the same as I put!

Code: Select all

<p><br><strong>test</strong> <u>test2</u></p>
Why is this?

Why can't it just work?

What do I need to do to make it work?

Re: html into database

Posted: Thu Aug 29, 2013 8:13 am
by Celauran
Not much to work with here. Can you post some code?

Re: html into database

Posted: Thu Aug 29, 2013 9:18 am
by chris98

Code: Select all

<?php
define('PUN_ROOT', dirname(__FILE__).'/../../');
include PUN_ROOT.'include/common.php';
define('PUN_ROOT', './');
if ($pun_user['is_guest'])
    header("location: ../../../login.php");
    require_once('general.php');
    require_once('db/db_connection.php');
    if (isset($_POST['submitBtn'])) {
	$user_id = "".$pun_user['id']."";
	$minimap_uploadLocation = "c:/wamp/www/stronghold2nation/downloads/files/minimaps/\\";
	$uploadLocation = "c:/wamp/www/stronghold2nation/downloads/files/downloads/\\";
	$format     = (isset($_POST['format'])) ? htmlentities($_POST['format']) : '' ;
	$name     = (isset($_POST['name'])) ? htmlentities($_POST['name']) : '' ;
		 $username = "".($pun_user['username'])."";
		 $size     = (isset($_POST['size'])) ? htmlentities($_POST['size']) : '' ;
         $text  = (isset($_POST['area1'])) ? htmlentities($_POST['area1']) : '' ;
		 $minimap  =   "".  basename( $_FILES['upfile']['name'])."";
         $file  =   "".  basename( $_FILES['ufile']['name'])."";
         $email    = (isset($_POST['email'])) ? htmlentities($_POST['email']) : '' ;
         $date  =  "".date("d/m/Y")."";
		 $category     = (isset($_POST['data_name'])) ? htmlentities($_POST['data_name']) : '' ;
		 
if (($_FILES["file"]["size"] > 262144000)) // Max File Size: 250MB
  {
  exit ('Your file size is too big.Please try again.');
  }
$allowed[] = 'gif';
$allowed[] = 'bmp';
$allowed[] = 'jpg';
$allowed[] = 'jpeg';
$allowed[] = 'png';
$allowed[] = '';  
  $filename = basename( $_FILES['upfile']['name']);
  $ext = substr($filename, strrpos($filename, '.')+1 , 3);
  $ext = strtolower($ext);

  if (!in_array($ext, $allowed)) {
        exit('This type of file extension is not allowed.Please upload a valid preview image.');
  }
  $allowed1[] = 'zip';
  $filename_2 = basename( $_FILES['ufile']['name']);
  $ext1 = substr($filename_2, strrpos($filename_2, '.')+1 , 3);
  $ext1 = strtolower($ext1);

  if (!in_array($ext1, $allowed1)) {
        exit('This type of file extension is not allowed.Please upload a zip file.');
  }
  $filename_check2 = "../files/minimaps/".$minimap."";
  if (!empty($minimap)) {
if (file_exists($filename_check2)) {
    exit ('The preview image you are uploading already exists.Please specify a different name, then try again.');
};  
}
$target_path = $minimap_uploadLocation . basename( $_FILES['upfile']['name']);
if(move_uploaded_file($_FILES['upfile']['tmp_name'], $target_path)) {
};
 $filename_check = "../files/downloads/".$file."";

if (file_exists($filename_check)) {
    exit ('The zip file you are uploading already exists.Please specify a different name, and try again.');
};
$target_path1 = $uploadLocation . basename( $_FILES['ufile']['name']);
if(!move_uploaded_file($_FILES['ufile']['tmp_name'], $target_path1)) {
    exit ('There was an error uploading the file.Please try again.');
}	 
         
         //Minimum name and comment length.
         if ((strlen($name) > 2) && (strlen($text) > 5)){
             $sql = "INSERT INTO downloads_unchecked (name,username,userid,size,text,minimap,date,file,category,email) VALUES (
			 :name,:username,:userid,:size,:text,:minimap,:date,:file,:category,:email)";  

$ps = $pdo->prepare($sql);  

$ps->execute(array(':name'=>$name, 
 
':username'=>$username,
':userid'=>$user_id,
':size'=>$size,
':text'=>$text,
':minimap'=>$minimap,
':date'=>$date,
':file'=>$file,
':category'=>$category,
':email'=>$email));
		 }
         
         header("Location:  thank_you.php");
    }
    else {
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<script type="text/javascript" src="http://js.nicedit.com/nicEdit-latest.js"></script>
 <script type="text/javascript">
 //<![CDATA[  
 bkLib.onDomLoaded(function() { nicEditors.allTextAreas() });
 //]]>
 </script>
<html>
<head>
<font color="#610B0B">
 <title>Add a file to Stronghold 2 Nation</title>
   <link href="style/style.css" rel="stylesheet" type="text/css" />
   <link href="style/button.css" rel="stylesheet" type="text/css" />
   <link rel="stylesheet" type="text/css" href="../style.css" />
   <link rel="stylesheet" type="text/css" href="style/style2.css" />
</head>
<body>
<div id="page">
      <div id="pagetop">
		<h1>Submit a File to Stronghold 2 Nation (page 2 of 2)</h1>
        <div class="links">    	
            <ul>
            </ul>
        </div>
     </div>
      <div id="main">
        <div id="formheader">Add your file to Stronghold 2 Nation!<br><br>Required Fields are marked with an Asterisk (*) </div>
        <div id="formbody">
          <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="fileform" id="fileform" enctype="multipart/form-data">
            <table align="center">
			  <tr><th>Category: *</th><td><select name="data_name">
<option value="">--Please Select Your Category--</option>
<option value="Peace Custom">Peace Custom</option>
<option value="Free Build">Free Build</option>
<option value="Kingmaker">Kingmaker</option>
<option value="Custom War">Custom War</option>
<option value="Miscellaneous">Miscellaneous</option>
</select><br></td></tr>
 <input type="hidden" name="MAX_FILE_SIZE" value="262144000" />
              <tr><th>File Name: *</th><td><input name="name" type="text" size="42" maxlength="25" /></td></tr>
			  <tr><th>File Size:*</th><td><input name="size" type="numerical" size="4" maxlength="10" /><input name="MB" id="MB" disabled value="MB" size="1" />(Megabytes)<br><a href="size.htm" target="_blank">Click here to learn how to work out the size of your File</a></td></tr>
              <tr><th>Full Description of your File:*</th><td><textarea name="area1" cols="42" rows="15" class="textarea"></textarea>This field may <b>not</b> contain html</td></tr>
              <tr><th><b>Preview Image</b>:<br></th><td><input class="text" name="upfile" type="file" size="36"><br></td></tr>
			  <tr><th>File:*<br></th><td><input class="text" name="ufile" type="file" id="ufile" size="36"><br></td></tr>
              <tr><th>Email:</th><td><input name="email" type="text" size="42" /></td></tr>
              <tr><th colspan="2" align="center"><br/><input class="text" type="submit" name="submitBtn" value="Continue" class="text"/><br><br>Your preview image must be less than 40KB, and must be either a PNG, JPEG or GIF image.It will also automatically get sized to 200x200 pixels.</th></tr>
            </table>  
          </form>

        </div>
        <div id="source"></div>	
      </div>
</body>     
<?php } ?>    
(This is the full code.)

Re: html into database

Posted: Thu Aug 29, 2013 9:29 am
by AbraCadaver
htmlentities() You are transforming the HTML into the entities so that the browser will display the actual characters. Don't htmlentities() before inseting. Use htmlentities() before display if you don't want it treated as HTML.

Re: html into database

Posted: Thu Aug 29, 2013 9:39 am
by Celauran
You're using htmlentities() on the strings before saving them to the database, so you need html_entity_decode() before displaying them.

Re: html into database

Posted: Thu Aug 29, 2013 9:43 am
by chris98
Thank you.That's all it was.I now, however have discovered a problem with the delete code.Could you tell me what I have done wrong here?

Every time I try to delete things, the zip file and preview image will go, but the data in the database stays.I also get no errors at all,and am using the advanced connection which normally displays them.

Code: Select all

<?php
    require_once('../submit/db/db_connection.php');
		 $id     = $_GET["id"];
		 $category = $_GET["category"];
		 $name = $_GET["file_name"];
         $name_image = $_GET["preview"];
		 $file = $_GET["file"];
		 $name_input     = (isset($_POST['name'])) ? htmlentities($_POST['name']) : '' ;
		 $name_2    = (isset($_POST['file_name2'])) ? htmlentities($_POST['file_name2']) : '' ;
		 $name_3    = (isset($_POST['file_name3'])) ? htmlentities($_POST['file_name3']) : '' ;
    if (isset($_POST['submitBtn'])) {
         $id     = $_GET["id"];
		 $category = $_GET["category"];
		 $name = $_GET["file_name"];
         $name_image = $_GET["preview"];
		 $name_input     = (isset($_POST['name'])) ? htmlentities($_POST['name']) : '' ;
		 $name_2    = (isset($_POST['file_name2'])) ? htmlentities($_POST['file_name2']) : '' ;
		 $name_3    = (isset($_POST['image_name'])) ? htmlentities($_POST['image_name']) : '' ;
		 $file_name = (isset($_POST['file_name'])) ? htmlentities($_POST['file_name']) : '' ;
         
             $sql = "DELETE FROM downloads_unchecked WHERE id =  :file";
			 $ps = $pdo->prepare($sql);
			 $ps->bindParam(':file', $id, PDO::PARAM_INT);
			 $ps->execute();
array_map('unlink', glob("../files/files/".$file_name.""));   
array_map('unlink', glob("../files/minimaps/".$name_3.""));
	$actpath = isset($_POST['path']) ? $_POST['path'] : '../files/files';
	$actpath = isset($_GET['path']) ? $_GET['path'] : '../files/files';	
         
         header("Location: redirect.php");
		}
    else {
		
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>Delete an Upload</title>
   <link href="style/style.css" rel="stylesheet" type="text/css" />
</head>
<body>
      <div id="main">
	  <input type="hidden" name="file_name2" value="<?php echo $name ?>" />
	  <input type="hidden" name="file_name3" value="<?php echo $name_image ?>" />
        <div id="formheader">WARNING! This will delete all traces of this file ever being on our system.</div>
        <div id="formbody">The File Name is displayed below:
          <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="gbook" id="gbook">
		  <input type="hidden" class="text" name="file_name" type="text" size="36" value="<?php echo "".$file.""; ?>">
			  <input type="hidden" class="text" name="image_name" type="text" size="36" value="<?php echo "".$name_image.""; ?>">
			  <input type="hidden" name="name" type="numerical" size="20" maxlength="50" value="<?php echo "".$id.""; ?>"/>
            <table align="center">
              <tr><th>Are you sure?</th><td><input class="text" type="submit" name="submitBtn" value="Delete" /></td></tr>
              <tr><td colspan="2" align="center"><br/><br>
			  <?php echo "".$name.""; ?></td></tr>
			  
            </table>  
          </form>

        </div>
        <div id="source"></div>	
      </div>
</body>     
<?php } ?>   

Re: html into database

Posted: Thu Aug 29, 2013 9:54 am
by Celauran
There's nothing wrong with the query itself. You aren't checking that $_GET['id'] actually contains a value, though.

Re: html into database

Posted: Thu Aug 29, 2013 9:57 am
by chris98
I have managed to echo it, but nothing else.

Re: html into database

Posted: Thu Aug 29, 2013 9:57 am
by AbraCadaver
Make sure you have error reporting on and comment out the header redirect so you'll actually be on the page that might show an error.

Re: html into database

Posted: Thu Aug 29, 2013 10:02 am
by chris98
There is still no error.It did definitely work when I used normal mysql, so I don't know what has gone wrong.

Re: html into database

Posted: Thu Aug 29, 2013 10:46 am
by Celauran
You're submitting to a page with no GET parameters. The form action is $_SERVER['PHP_SELF'], not $_SERVER['PHP_SELF'] . '?id=' . $id etc. Once the form has been submitted, the $_GET array is empty.

Re: html into database

Posted: Thu Aug 29, 2013 10:51 am
by chris98
No, the sort of thing I would be linking with would be:

Code: Select all

delete.php?id=3&category=Custom War&file_name=ydyrytrytrytryty&preview=army medic.jpg&file=ancient_756.zip

Re: html into database

Posted: Thu Aug 29, 2013 10:54 am
by Celauran
To arrive at that page, sure. Look at the form action, though.

Code: Select all

if (isset($_POST['submitBtn'])) {
var_dump($_GET);
}

Re: html into database

Posted: Fri Aug 30, 2013 9:33 am
by chris98
So, in other words, I would need an <input>,to store the

Code: Select all

$_GET
information, then transfer that to a different variable for the delete statement?

Re: html into database

Posted: Fri Aug 30, 2013 9:55 am
by Celauran
You already have one.

Code: Select all

<input type="hidden" name="name" type="numerical" size="20" maxlength="50" value="<?php echo "".$id.""; ?>"/>